Nine Iranians working on behalf of the Islamic Revolutionary Guard Corps hacked the computers of 7998 professors at 320 universities around the world over the past 5 years, an indictment filed by a federal grand jury alleges. The hackers stole 31.5 terabytes of documents and data, including scientific research, journals, and dissertations, the indictment alleges. Their targets also included the United Nations, 30 U.S. companies, and five U.S. government agencies.

The “massive and brazen cyber assault,” reports Jon Cohen in today's Science, is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” U.S. Attorney Geoffrey Berman of the Southern District of New York, where the indictment was filed, said at a press conference this morning.

The hacks came to light through investigations by the Federal Bureau of Investigation and reports from victims. “The hackers targeted innovations and intellectual property from our country’s greatest minds,” Berman said, adding that they went after data and research from many fields.

According to the indictment, 3768 of the hacked professors were at 144 U.S. universities, and the attackers stole data that cost these institutions about $3.4 billion to “procure and access.” The accused allegedly set up an institute in Iran called Mabna that coordinated and paid for the hacks. The defendants then sold the stolen data through two websites, Gigapaper and Megapaper. The institute, the indictment says, aimed to “assist Iranian universities, as well as scientific and research organizations, to obtain access to non-Iranian scientific resources.”

The charges against the accused include wire fraud, aggravated identity theft, and conspiracy to commit computer intrusions. The indictment says the university breaches involved “spearfishing,” in which the accused sent emails to targets that tricked them into providing their login credentials. The emails supposedly came from professors who read articles by the targets and asked to see more of their work, providing links. A click on the link took the victim to a fake internet domain that resembled their own university’s website and asked them to log in. For the private sector, the indictment says hackers used “password spraying,” cracking into accounts with commonly used passwords; then they “exfiltrated entire email mailboxes from the victims” and also captured new outgoing and incoming email from compromised individuals.